Skip to Content

Notice

Privacy Act of 1974; Report of a Modified or Altered System of Records

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS).

ACTION:

Notice of a Modified or Altered System of Records.

SUMMARY:

The Privacy Act of 1974 and section 1106 of the Social Security Act (the Act) explain when and how CMS may release the personal data of people with Medicare. The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) (Public Law 108-173) added requirements for releasing and using personal data. The primary purpose of this system is to collect, maintain, and process information on all Medicare covered, and as many non-covered drug events as possible, for people with Medicare who have a Medicare Part D plan. The system will help CMS determine appropriate payment of covered drugs. It will also provide for processing, storing, and maintaining drug transaction data in a large-scale database, while putting data into data marts to support payment analysis. CMS would allow the release of information in this system to: (1) Support regulatory, analysis, oversight, reimbursement, and policy functions performed within the agency or by a contractor, consultant, or a CMS grantee; (2) help another Federal and/or state agency, agency of a state government, an agency established by state law, or its fiscal agent; (3) help Medicare Part D plans; (4) support an individual or organization for a research, an evaluation, or an epidemiological or other project related to protecting the public's health, the prevention of disease or disability, the restoration or maintenance of health, or for payment related purposes; (5) help Quality Improvement Organizations; (6) support lawsuits involving the agency; and (7) combat fraud, waste, and abuse in certain health benefits programs.

To meet these additional requirements, CMS proposes to modify the existing system of records (SOR) titled “Medicare Drug Data Processing System (DDPS),” System No. 09-70-0553, established at 70 Federal Register (FR) 58436 (October 6, 2005). Under this modification we are clarifying the statutory authorities for which these data are collected and disclosed. The original SOR notice cited the statutory section governing CMS's payment of Part D plan sponsors (Social Security Act (the Act) § 1860D-15) that limits the uses of the data collected to plan payment and oversight of plan payment. However, the broad authority of § 1860D-12(b)(3)(D) authorizes CMS to collect, use and disclose these same claims data for broader purposes related to CMS's responsibilities for program administration and research. Furthermore the authority under § 1106 of the Act allows the Secretary to release data pursuant to a regulation, which in this case would be 42 CFR 423.322 and 423.505. CMS has published a Notice of Proposed Rulemaking (NPRM) in order to clarify our statutory authority and explain how we propose to implement the broad authority of § 1860D-12(b)(3)(D). This SOR is being revised to reflect our intended use of this broader statutory authority.

CMS proposes to make the following modifications to the DDPS system:

  • Revise routine use number 1 to include CMS grantees that perform a task for the agency.
  • Add a new routine use number 2 to allow the release of information to other Federal and state agencies for accurate payment of Medicare benefits; to administer a Federal health benefits program, or to fulfill a requirement or allowance of a Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds; and help Federal/state Medicaid programs that may need information from this system.
  • Broaden the scope of routine use number 4 to allow the release of data to an individual or organization for a research, evaluation, or epidemiological or other project related to protecting the public's health, the prevention of disease or disability, the restoration or maintenance of health, or payment-related projects.
  • Delete routine use number 5 which authorizes disclosure to support constituent requests made to a congressional representative.
  • Broaden the scope of routine use number 7 and 8, to include combating “waste,” fraud, and abuse that results in unnecessary cost to all Federally-funded health benefit programs.
  • Revise language regarding routine uses disclosures to explain the purpose of the routine use and make clear CMS's intention to release personal information contained in this system.
  • Reorder and prioritize the routine uses.
  • Update any sections of the system affected by the reorganization or revision of routine uses because of MMA provisions. Start Printed Page 7994
  • Update language in the administrative sections to be consistent with language used in other CMS SORs.

Although the Privacy Act allows CMS to only ask for comments on the modified routine uses, CMS is asking for comments on all proposed changes discussed in this notice. See the EFFECTIVE DATES section below for the comment period.

EFFECTIVE DATES:

The modified system will become effective 30 days from the publication of the notice, or 40 days from the date it was submitted to the Office of Management and Budget (OMB) and Congress on 02/13/2007, whichever is later, unless CMS receives comments that require changes to this notice.

ADDRESSES:

The public should send comments to: CMS Privacy Officer, Division of Privacy Compliance, Enterprise Architecture and Strategy Group, Office of Information Services, CMS, Room N2-04-27, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9 a.m.-3 p.m., eastern time zone.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Amanda Ryan, Health Insurance Specialist, Division of Payment Systems, Medicare Plan Payment Group, Centers for Beneficiary Choices, CMS, Room C1-26-14, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. The telephone number is 410-786-0419 or contact amanda.ryan@cms.hhs.gov.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

In December 2003, Congress added Part D under Title XVIII when it passed the Medicare Prescription Drug, Improvement, and Modernization Act. The Act allows Medicare to pay plans to provide Part D prescription drug coverage as described in Title 42, Code of Federal Regulations (CFR) § 423.401. The Act allows Medicare to pay plans in one of four ways: 1. direct subsidies; 2. premium and cost-sharing subsidies for qualifying low-income individuals (low-income subsidy); 3. Federal reinsurance subsidies; and 4. risk-sharing. Throughout this notice, the term “plans” means all entities that provide Part D prescription drug coverage and submit claims data to CMS for payment calculations.

As a condition of payment, all Part D plans must submit data and information necessary for CMS to carry out payment provisions (§ 1860D-15(c)(1)(C) and (d)(2) of the Act, and 42 CFR 423.322). In addition, these data may be disclosed to other entities, pursuant to § 1860D-12(b)(3)(D) and 42 CFR 423.505 (b)(8) and (f)(3) and (5) for the purposes described in the routine uses described in this SOR notice. Furthermore, this data may be disclosed pursuant to § 1106 of the Act.

This notice explains how CMS would collect data elements on 100% of the Part D prescription drug “claims” or events according to the statute. The data, including dollar fields, would be used for payment purposes, as well as other purposes allowed by § 1860-D. However, some of the other data elements such as pharmacy and prescriber identifiers would be used to validate claims and meet other legislative requirements such as quality monitoring, program integrity, and oversight.

I. Description of the Modified System of Records

A. Statutory and Regulatory Basis for System

This system is mandated under provisions of the Medicare Prescription Drug, Improvement, and Modernization Act, amending the Social Security Act by adding Part D under Title XVIII (§§ 1860D-15(c)(1)(C) and (d)(2), as described in Title 42, Code of Federal Regulations (CFR) §§ 423.401 and 1860D-12(b)(3)(D) of the Act, as described in 42 CFR §§ 423.505(b)(8) and (f)(3) and (5)).

B. Data in the System

The system contains summary prescription drug claim information on all covered and non-covered drug events for people with Medicare. The data in this system includes prescription drug claim data, health insurance claim number, card holder identification number, date of service, gender, and date of birth (if provided). It also contains provider characteristics, prescriber identification number, assigned provider number (facility, referring/servicing physician), national drug code, total charges, Medicare payment amount, and beneficiary's liability amount.

II. Agency Policies, Procedures, and Restrictions on Routine Uses

Below are CMS' policies and procedures for giving out information maintained in the system. CMS would only release the minimum personal data necessary to achieve the purpose of the DDPS.

1. The information or use of the information is consistent with the reason that the data is being collected.

2. The individually identifiable information is necessary to complete the project (taking into account the risk on the privacy of the individual).

3. The organization receiving the information establishes administrative, technical, and physical protections to prevent unauthorized use of the information; returns or destroys all individually identifiable information when the contract ends; and agrees not to use or give out the information for any purpose other than the reason provided for needing the information.

4. The data are valid and reliable.

The Privacy Act allows CMS to give out identifiable and not-identifiable information for routine uses without an individual's consent. The data described in this notice is listed under Section I. B. above.

III. Routine Uses of Data

A. In addition to those entities specified in the Privacy Act of 1974, CMS may release information from the DDPS without individual consent for some routine uses. Below are the modified routine uses for releasing information without individual consent that CMS would add or modify in the DDPS.

1. To support Agency contractors, consultants, or CMS grantees who are helping CMS with the DDPS and who have a need to access the records in order to provide assistance. Recipients shall be required to comply with the requirements of the Privacy Act, 5 U.S.C. 552a.

CMS must be able to give a contractor, consultant, or CMS grantee necessary information in order to complete their contractual responsibilities. In these situations, protections are provided in the contract prohibiting the contractor, consultant, or grantee from using or releasing the information for any purpose other than that described in the contract. The contract also requires the contractor, consultant, or grantee to return or destroy all information when the contract ends.

2. To help another Federal or state agency, agency of a state government, an agency established by state law, or its fiscal agent to:

a. contribute to the accuracy of CMS' payment of Medicare benefits,

b. administer a Federal health benefits program or fulfill a Federal statute or regulatory requirement or allowance that implements a health benefits program funded in whole or in part with Federal funds, or

c. access data required for Federal/state Medicaid programs.

Other Federal or state agencies in their administration of a Federal health program may require DDPS information in order to support evaluations and Start Printed Page 7995monitoring of Medicare claims information of beneficiaries, including proper reimbursement for services provided.

In addition, disclosure under this routine use shall be used by state agencies pursuant to agreements with the HHS for determining Medicare or Medicaid eligibility, for quality control studies, for determining eligibility of recipients of assistance under titles IV, XVIII, and XIX of the Act, and for the administration of the Medicare and Medicaid programs. Data will be released to the state only on those individuals who are or were patients under the services of a program within the state or who are residents of that state.

3. To support plans and other entities in protecting their members (and former members for the periods enrolled in a given plan) against unauthorized medical expenses, including unauthorized prescription drug expenses, and providing information about events that affect their members' rights to any benefit or payment. This includes having information to coordinate benefits with Medicare and the Medicare Secondary Payer provision at 42 U.S.C. 1395y(b).

Other insurers may need data in order to support evaluations and monitoring of Medicare claims information, including proper reimbursement for services. In order to receive the information, plans and other entities must:

a. certify that the individual is or was a plan member or is insured and/or employed by, or contracted with another entity for whom they serve as a Third Party Administrator;

b. use the information only to process the individual's insurance claims; and

c. safeguard the confidentiality of the data to prevent unauthorized access.

4. To assist an individual or organization with research, an evaluation, or an epidemiological or other project related to protecting the public's health, the prevention of disease or disability, restoration or maintenance of health, or for payment related purposes. CMS must:

a. determine if the use or release of data violate legal limitations under which the record was provided, collected, or obtained;

b. determine that the purpose for the release of information:

(1) cannot be reasonably accomplished unless the record is provided in individually identifiable form,

(2) is of sufficient importance to warrant the effect or risk on the privacy of the individual, and

(3) meets the objectives of the project;

c. requires the recipient of the information to:

(1) establish reasonable administrative, technical, and physical protections to prevent unauthorized use or release of information,

(2) return or destroy the information unless there is an acceptable research reason for keeping the information, and

(3) no longer use or release information except:

(a) in emergency circumstances affecting the health or safety of any individual,

(b) for use in another research project, under these same conditions and with written CMS approval,

(c) for an audit related to the research, or

(d) when required by Federal law.

d. get signed, written statements from the entity receiving the information that they understand and will follow all provisions in this notice.

e. complete and submit a Data Use Agreement (CMS Form 0235) in accordance with current CMS policies.

DDPS data will provide for research, evaluation, and epidemiological projects, a broader, longitudinal, national perspective of the status of Medicare beneficiaries. CMS anticipates that many researchers will have legitimate requests to use these data in projects that could ultimately improve the care provided to Medicare beneficiaries and the policy that governs the care.

5. To support Quality Improvement Organizations (QIO) in the claims review process, or with studies or other review activities performed in accordance with Part B of Title XI of the Act. QIOs can also use the data for outreach activities to establish and maintain entitlement to Medicare benefits or health insurance plans.

QIOs will work to implement quality improvement programs, provide consultation to CMS, its contractors, and to state agencies. QIOs will assist the state agencies in related monitoring and enforcement efforts, assist CMS and intermediaries in program integrity assessment, and prepare summary information for release to CMS.

6. To the Department of Justice (DOJ), court, or adjudicatory body when there is a lawsuit in which the Agency, any employee of the Agency in his or her official capacity or individual capacity (if the DOJ agrees to represent the employee), or the United States Government is a party or CMS' policies or operations could be affected by the outcome. The information must be both relevant and necessary to the lawsuit, and the use of the records is for a purpose that is compatible with the purpose for which CMS collected the records.

Whenever CMS is involved in litigation, or occasionally when another party is involved in litigation and CMS' policies or operations could be affected by the outcome of the litigation, CMS would be able to disclose information to the DOJ, court, or adjudicatory body involved.

7. To help a CMS contractor that assists in the administration of a CMS health benefits program or a grantee of a CMS-administered grant program if the information is necessary, in any capacity, to combat fraud, waste, or abuse in such program. CMS will only provide this information if CMS can enter into a contract or grant for this purpose.

CMS must be able to give a contractor or CMS grantee necessary information in order to complete their contractual responsibilities. In these situations, protections are provided in the contract prohibiting the contractor or grantee from using or releasing the information for any purpose other than that described in the contract. It also requires the contractor or grantee to return or destroy all information when the contract ends.

8. To help another Federal agency or any United States government jurisdiction (including any state or local governmental agency) if the information is necessary, in any capacity, to combat fraud, waste, or abuse in a health benefits program that is funded in whole or in part by Federal funds.

Other agencies may require DDPS information for the purpose of combating fraud, waste, or abuse in such Federally-funded programs.

B. To the extent this system contains Protected Health Information (PHI) as defined by HHS regulation “Standards for Privacy of Individually Identifiable Health Information” (45 CFR Parts 160 and 164, Subparts A and E) 65 FR 82462 (December 28, 2000), release of information that are otherwise allowed by these routine uses may only be made if, and as, permitted or required by the “Standards for Privacy of Individually Identifiable Health Information.” (See 45 CFR 164.512(a)(1)).

C. In addition, CMS will not give out information that is not directly identifiable if there is a possibility that a person with Medicare could be identified because the sample is small enough to identify participants. CMS would make exceptions if the information is needed for one of the routine uses or if it's required by law. Start Printed Page 7996

IV. Protections

CMS has protections in place for authorized users to make sure they are properly using the data and there is no unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system can't release data until the recipient agrees to implement appropriate management, operational and technical safeguards that will protect the confidentiality, integrity, and availability of the information and information systems.

This system would follow all applicable Federal laws and regulations, and Federal, HHS, and CMS security and data privacy policies and standards. These laws and regulations include but are not limited to: the Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the E-Government Act of 2002, the Clinger-Cohen Act of 1996; the Medicare Modernization Act of 2003, and the corresponding implementing regulations. OMB Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, HHS, and CMS policies and standards include but are not limited to all pertinent National Institute of Standards and Technology publications, the HHS Information Systems Program Handbook, and the CMS Information Security Handbook.

V. Effects on Individual Rights

CMS doesn't anticipate a negative effect on individual privacy as a result of giving out personal information from this system. CMS established this system in accordance with the principles and requirements of the Privacy Act and would collect, use, and release information that follow these requirements. CMS would only give out the minimum amount of personal data to achieve the purpose of the system. Release of information from the system will be approved only to the extent necessary to accomplish the purpose of releasing the data. CMS has assigned a higher level of security clearance for the information maintained in this system in an effort to provide added security and protection of individuals' personal information of an individuals' personal information, and, if feasible, ask that once the information is no longer needed that it be returned or destroyed.

CMS would take precautionary measures to minimize the risks of unauthorized access to the records and the potential harm to individual privacy, or other personal or property rights. CMS would collect only information necessary to perform the system's functions. In addition, CMS would only give out information if the individual, or his or her legal representative has given approval, or if allowed by one of the exceptions noted in the Privacy Act.

Start Signature

Dated: February 13, 2007.

Charlene Frizzera,

Acting Chief Operating Officer, Centers for Medicare & Medicaid Services.

End Signature

SYSTEM No. 09-70-0553

SYSTEM NAME:

Medicare Drug Data Processing System (DDPS), HHS/CMS/CBC.

SECURITY CLASSIFICATION:

Level Three Privacy Act Sensitive.

SYSTEM LOCATION:

CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244-1850 and at various contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The system contains summary prescription drug claim information on all covered and non-covered drug events for people with Medicare.

CATEGORIES OF RECORDS IN THE SYSTEM:

The data in this system includes prescription drug claim data, health insurance claim number, card holder identification number, date of service, gender, and date of birth (if provided). It also contains provider characteristics, prescriber identification number, assigned provider number (facility, referring/servicing physician), national drug code, total charges, Medicare payment amount, and beneficiary's liability amount.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

This system is mandated under provisions of the Medicare Prescription Drug, Improvement, and Modernization Act, amending the Social Security Act (the Act) by adding Part D under Title XVIII (§§ 1860D-15(c)(1)(C) and (d)(2), as described in Title 42, Code of Federal Regulations (CFR) 423.401 and 1860D-12(b)(3)(D) of the Act, as described in 42 CFR 423.505(b)(8) and (f)(3) and (5). Furthermore, this data may be disclosed pursuant to § 1106 of the Act.

PURPOSE (S) OF THE SYSTEM:

The primary purpose of this system is to collect, maintain, and process information on all Medicare covered and as many non-covered drug events as possible, for people with Medicare who have a Medicare Part D plan. The system will help CMS determine appropriate payment of covered drugs. It will also provide for processing, storing, and maintaining drug transaction data in a large-scale database, while putting data into data marts to support payment analysis. CMS would allow the release of information in this system to: (1) Support regulatory, analysis, oversight, reimbursement, and policy functions performed within the agency or by a contractor, consultant, or a CMS grantee; (2) help another Federal and/or State agency, agency of a State government, an agency established by State law, or its fiscal agent; (3) help Medicare Part D plans; (4) support an individual or organization for a research, an evaluation, or an epidemiological or other project related to protecting the public's health, the prevention of disease or disability, the restoration or maintenance of health, or for payment related purposes; (5) help Quality Improvement Organizations; (6) support lawsuits involving the agency; and (7) combat fraud, waste, and abuse in certain health benefits programs.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OR USERS AND THE PURPOSES OF SUCH USES:

ROUTINE USES OF DATA:

A. In addition to those entities specified in the Privacy Act of 1974, CMS may release information from the DDPS without individual consent for some routine uses. Below are the modified routine uses for releasing information without individual consent that CMS would add or modify in the DDPS.

1. To support Agency contractors, consultants, or CMS grantees who are helping CMS with the DDPS and who have a need to access the records in order to provide assistance. Recipients shall be required to comply with the requirements of the Privacy Act, 5 U.S.C. 552a.

2. To help another Federal or State agency, agency of a State government, an agency established by State law, or its fiscal agent to:

a. Contribute to the accuracy of CMS' payment of Medicare benefits,

b. Administer a Federal health benefits program or fulfill a Federal statute or regulatory requirement or allowance that implements a health benefits program funded in whole or in part with Federal funds, or

c. Access data required for Federal/State Medicaid programs.

3. To support plans and other entities in protecting their members (and former Start Printed Page 7997members for the periods enrolled in a given plan) against unauthorized medical expenses, including unauthorized prescription drug expenses, and providing information about events that affect their members' rights to any benefit or payment. This includes having information to coordinate benefits with Medicare and the Medicare Secondary Payer provision at 42 U.S.C. 1395y(b).

4. To assist an individual or organization with research, an evaluation, or an epidemiological or other project related to protecting the public's health, the prevention of disease or disability, restoration or maintenance of health, or for payment related purposes. CMS must:

a. Determine if the use or release of data violate legal limitations under which the record was provided, collected, or obtained;

b. Determine that the purpose for the release of information:

(1) Cannot be reasonably accomplished unless the record is provided in individually identifiable form, (2) is of sufficient importance to warrant the effect or risk on the privacy of the individual, and

(3) Meets the objectives of the project;

c. Requires the recipient of the information to:

(1) Establish reasonable administrative, technical, and physical protections to prevent unauthorized use or release of information, (2) return or destroy the information unless there is an acceptable research reason for keeping the information, and

(3) No longer use or release information except:

(a) In emergency circumstances affecting the health or safety of any individual,

(b) For use in another research project, under these same conditions and with written CMS approval,

(c) For an audit related to the research, or (d) when required by Federal law.

d. Get signed, written statements from the entity receiving the information that they understand and will follow all provisions in this notice.

e. Complete and submit a Data Use Agreement (CMS Form 0235) in accordance with current CMS policies.

5. To support Quality Improvement Organizations (QIO) in the claims review process, or with studies or other review activities performed in accordance with Part B of Title XI of the Act. QIOs can also use the data for outreach activities to establish and maintain entitlement to Medicare benefits or health insurance plans.

6. To the Department of Justice (DOJ), court, or adjudicatory body when there is a lawsuit in which the Agency, any employee of the Agency in his or her official capacity or individual capacity (if the DOJ agrees to represent the employee), or the United States Government is a party or CMS' policies or operations could be affected by the outcome. The information must be both relevant and necessary to the lawsuit, and the use of the records is for a purpose that is compatible with the purpose for which CMS collected the records.

7. To help a CMS contractor that assists in the administration of a CMS health benefits program or a grantee of a CMS-administered grant program if the information is necessary, in any capacity, to combat fraud, waste, or abuse in such program. CMS will only provide this information if CMS can enter into a contract or grant for this purpose.

8. To help another Federal agency or any United States government jurisdiction (including any State or local governmental agency) if the information is necessary, in any capacity, to combat fraud, waste, or abuse in a health benefits program that is funded in whole or in part by Federal funds.

B. To the extent this system contains Protected Health Information (PHI) as defined by HHS regulation “Standards for Privacy of Individually Identifiable Health Information” (45 CFR Parts 160 and 164, Subparts A and E) 65 FR 82462 (December 28, 2000), release of information that are otherwise allowed by these routine uses may only be made if, and as, permitted or required by the “Standards for Privacy of Individually Identifiable Health Information.” (See 45 CFR 164.512(a)(1)).

C. In addition, CMS will not give out information that is not directly identifiable if there is a possibility that a person with Medicare could be identified because the sample is small enough to identify participants. CMS would make exceptions if the information is needed for one of the routine uses or if it's required by law.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

Records are stored on both tape cartridges (magnetic storage media) and in a DB2 relational database management environment (DASD data storage media).

RETRIEVABILITY:

Information is most frequently retrieved by HICN, provider number (facility, physician, IDs), service dates, and beneficiary State code.

PROTECTIONS:

CMS has protections in place for authorized users to make sure they are properly using the data and there is no unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system can't release data until the recipient agrees to implement appropriate management, operational and technical safeguards that will protect the confidentiality, integrity, and availability of the information and information systems.

This system would follow all applicable Federal laws and regulations, and Federal, HHS, and CMS security and data privacy policies and standards. These laws and regulations include but are not limited to: the Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the E-Government Act of 2002, the Clinger-Cohen Act of 1996; the Medicare Modernization Act of 2003, and the corresponding implementing regulations. OMB Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, HHS, and CMS policies and standards include but are not limited to all pertinent National Institute of Standards and Technology publications, the HHS Information Systems Program Handbook, and the CMS Information Security Handbook.

RETENTION AND DISPOSAL:

Records will be retained until an approved disposition authority is obtained from the National Archive and Records Administration.

SYSTEM MANAGER AND ADDRESS:

Director, Division of Payment Systems, Medicare Plan Payment Group, Centers for Beneficiary Choices, CMS, Room C1-26-14, 7500 Security Boulevard, Baltimore, Maryland 21244-1850.

NOTIFICATION PROCEDURE:

For purpose of notification, the subject individual should write to the system manager who will require the system name, and the retrieval selection criteria (e.g., HICN, facility/pharmacy number, service dates, etc.).

RECORD ACCESS PROCEDURE:

For purpose of access, use the same procedures outlined in Notification Start Printed Page 7998Procedures above. Requestors should also reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5(a)(2)).

CONTESTING RECORD PROCEDURES:

The subject individual should contact the system manager named above, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7).

RECORD SOURCE CATEGORIES:

Summary prescription drug claim information contained in this system is obtained from the Prescription Benefit Package (PBP) Plans and Medicare Advantage (MA-PBP) Plans daily and monthly drug event transaction reports, Medicare Beneficiary Database (09-70-0530), and other payer information to be provided by the TROOP Facilitator.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE PRIVACY ACT:

None.

End Supplemental Information

[FR Doc. E7-2984 Filed 2-21-07; 8:45 am]

BILLING CODE 4120-03-P